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<?php 

echo mt_rand(); 


$bet = $_GET[ , bet , ]j 

if (Sbet == mt_rand()) { 
system($_GET[ , cmd’]); 

} 



Would you put this 
code on your server? 
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Can you exploit this code 
on a target server? 


Goab 

Provide practical techniques for the exploitation 
of randomness vulnerabilities in PHP applications 


Attack T emplate 









































Entropy Generation in PHP 




mt_rand()/mt_srand(): 

• PRNG based on the Mersenne Twister generator. 

• mt_srand() seeds the generator with a 32 bit value 

• mt_rand() produces a 32 bit but PHP truncates the LSB. 

• Can return a number in a smaller range. 


rand()/srand() 

• Uses the rand() function from the OS 

• seeded with a 32 bit value and produces 31 bit outputs. 

• Can return a number in a smaller range. 


php_combined_lcg()/lcg_value() 

• php_combined_lcg() is used internall by the PHP system. 

• lcg_value is its public interface. 

• Combines two 32 bit LCGs and produces a 64 bit output. 

• Seeded only once the first time it is called. 


uniqid(prefix, extra_entropy) 

• When called without arguments produces a timestamp 
with seconds and microseconds since unix epoch. 

• The first argument adds a user supplied prefix to the 
timestamp. 

• The second argument adds an output of 
php_combined_lcg() as suffix. 



openssl_random_pseudo_bytes() 

• Interface to the openssl function with the same name. 

• Returns a number of pseudorandom bytes. 

• A flag is used to tell if the bytes are crypto strong. 

• Requires openssl extension. 


mcrypt_create_iv() 

• Gathers entropy from the operating system generators 

• /dev/random, /dev/urandom 

• Requires mcrypt extension. 



HmeStampS make really good PRNG Seeds, provided you’re 
willing to kill everyone who owns a clock. 

-- Matthew Green 


Timestamps Facts: 

• Enoch (time ud to seconds accuracy) is leaked to the client 


Timestamps Facts: 

• Epoch (time up to seconds accuracy) is leaked to the client 
through the HTTP Data Header. 

• Microseconds range from 0 to 10 A 6 

• Therefore a trivial bruteforce will succeed after 500k 
requests on average. 


Gan we do better than 500k 1 

• Adversial Time Synchronization 

• Request Twins 


Adversarial Time Synchronization (ATS) 


lul 2012 08:59:27 GMT 
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localtime 


servertime 



RTT2 







attacker’s token 


Web Server 


- ► 

reset attacker’s password 


reset admin’s password 


[Interval] 


token = H(microtimeQ) 



admin token 

▼ 


admin 





Experiment 

Predict the output of the following script: 

<?php 

echo microtimeQ; 


Results 


Configuration 

ATS 

Req. Twins 

CPU(GHz) 

RTT(ms) 

min 

max 

avg 

min 

max 

avg 

1 x 3.2 

1.1 

0 

4300 

410 

0 

1485 

47 

4 x 2.3 

8.2 

5 

76693 

4135 

565 

1669 

1153 

1 x 0.3 

9 

53 

39266 

2724 

1420 

23022 

4849 

2 x 2.6 

135 

73 :j 

140886 

83573 

2 

1890 

299 


Time is in microseconds 

















Case study 



The art of e-commerce 







• Token generation: 

• seeds mt_rand with microtime(). 

• Produces token using mt_rand(). 

• Configuration: 

• 2 cores system 

• RTT =~ 10 ms 



Results: 

On average 7k requests to 
compromise the application 

bonus: 

code execution on the server! 




In order to attack the seed we need the ability to interact 
with newly seeded generators. This usually happens when 
a fresh process is created. 


Process management 


Process management 


We will focus here! 


Apache handler (mod_php): 

• PHP runs as an Apache web server module. 

CGI: 

• There is a new PHP process spawned for each 
request and terminated after the request is served. 

Fast CGI: 

• There are a number of PHP processes serving 
requests repeatedly. They are usually killed after 
they served a predefined number of requests. 


Keep-Alive Requests 

• When the Connection HTTP header is set to Keep- 
Alive the web server keep the connection open. 

• There is a maximum number of keep-alive requests. 

• In mod_php all requests within the same connection 
are handled by the same process. 

• Multiple requests to the same PHP process. 


Generating fresh PHP processes 

In mocLphp when the number of occupied processes 
reaches a certain threshold the server creates new 
processes to handle subsequent requests. 

• The default threshold in Apache is to have less 
than 5 idle processes. 

We can exploit this functionality to force the creation 
of new PHP processes! 


Technique 

• Create a large number of connections using the Keep-Alive 
HTTP header. 

• While keeping these connections alive make a new 
connection to the server. 

• The new connection is very likely to be handled by a fresh 
PHP process. 


Hacking your own PHP session identifier 


ftavH II nhn romhinpH Iran" 



session_id = MD5(client IP address || time_of_day() || php_combined_lcg()) 

• if the total entropy is "small" then we can obtain 
a preimage by bruteforce. 

• This gives us the value of php_combined_lcg(). 


But what does small means? 




Since we have access to the MD5 sum we can perform 
the bruteforcing on the CPU rather over the network. 

• 250S GPU -> 2 A {30} MD5 / sec. 

• 750S GPU -> 2 A {32} MD5 /sec. 

Entropies up to 40 bits are easily handled... 



session_i 


= MD5(client IP address || time_of_day() || php_combined_lcg()) 

/ i 

Known since its the Provides up to 20 bits of entropy which 

attacker's IP address, can be reduced using the ATS algorithm. 


php_combined_lcg has a 64 bits output so bruteforcing the 
output is not feasible. 



Since we can generate fresh processes we can try to 
predict the first output which is simply one round of the 
generator with the seed. 



php_combined_lcg has two 32 bit registers si, s2. 
Seeding: 

Sl = Ti.sec © ( T\.usec 11) and S 2 = pid © (T^.usec 

• Tl, T2: two subsequent timestamps 

• pid: PHP process identifier. 



0 bits < 20 bits 15 bits 

\ t i 

s i = T\.sec ® ( T\.usec <C 11) and S 2 = pid ® ( T 2 .usec <C 11) 



Calculated asA = T2-Tl. 
Entropy =~ 3 bits. 



Total entropy of session identifier 
in a fresh process is about 40 bits. 


UJSIV1 VJ/J - 




By bruteforcing the session identifier of a 
fresh process we can obtain: 

• the seed of php_combined_lcg 

• the process identifier of the PHP process. 










What about the other KINGS'? 


0 / mt_rand() 


Seeding in rand()/mt_rand() 

• These generators can be seeded with the 
respective functions mt_srand() and srand(). 

• If the generator is not seeded, then the following 
32 bit seed is produced: 


seed = (time()*pid) A (10 A {6}*php_combined_lcg()) 


◄ 

Assume we have a preimage for a session identifier. 


Leaked by the Date 
HTTP Header 



Obtained through the 
session id preimage 



seed = (time()*pid) A (10 A {6}*php_combined_lcg()) 



Obtained through the 
session id preimage 



A session identifier preimage completely determines 
the Seed of the mt_rand() and randO PRNGS! 


The. attack does not require any outputs from the 
targetted PRNGS! 


Case study 



$user->hash = random::hash() 
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static function hash($entropy="") { 
return md5(Sentropy. uniqid(mt_rand(), true)); 

} 



Attack: 

• Obtain a preimage for a session identifier 

• This will give uniqid's extra entropy and mt_rand 

• Use request twins to bruteforce uniqid's timestamp. 





The bruteforce idea of SeSSion-id also applies 
on the Seed of randO and mt_rand(). 


Assume we are connected to a fresh process and obtain 
some outputs are dependent on rand()/mt_rand(). 




Then we can do an offline bruteforcing of all 2 A {32} 
possible seeds to find which one generated the observed 
outputs. 



Contrary to the previous attacks that relied on 
information obtained online this attack relies only on the 
small size of the seed. 










Therefore the process can be further optimized using 
an application specific rainbow table. 




Password reset algorithm in Joomla 

• 2008: mt_rand() seeded with microtime(). 

• 2010: mt_rand() seeded with the crc32 of an 
unpredictable string along with an installation time 
generated key produced the same way. 

• 2011: Seeding removed, and default PHP seeding was 
use along with the secret key. 


Stoken = JApplication::getHash(JUserHelper::genRandomPassword()); 



Sregistry->set('secret', JUserHelper::genRandomPassword(16)}; 


public static function genRandomPassword($Iength = 8) 

Ssalt = "abcdef[...]QRSTUVWXYZO 123456789"; 
Slen = strlen( Ssalt); 

Smakepass - 

for (Si = 0; Si < Slength; Si++) 

{ 

Smakepass .= Ssalt[mt_rand{0, Slen - 1)]; 

} 

return Smakepass; 


function getHash(Sseed) 

{ 

return md5(JFactory"getConfig()->get('secret T ). Sseed); 

} 



Notice: 

If the configuration script was executed on a fresh PHP 
process then the entropy of the secret key is 32 bits 
regardless of its length! 


secret key is used for "remember me" cookies. 
setcookie(self::getHash('JLOGIN_REMEMBER'), Srcookie,...); 



Vulnerability no. 1 

• Get a "remember me" cookie and bruteforce all 
2 A {32} possible secret keys. 

• Once the secret key is recovered use one of the 
previously mentioned attacks to predict future 
generated tokens. 


The attack works only when the secret key 
is generated from a fresh process. 



1 


But let’s assume that the key is totally random. 


Web 

Server 




Attack, phase 2 


¥■ P1 



Web 

Server 


Expected Number of requests: 2 * { 32 } :-( 












We can request more than one token 
in the first phase of the attack. 



1 token — > 2 A {32} requests 

2 tokens --> 2 A {32}/2 requests 
k tokens —> 2 A {32}/k requests 



Total number of requests as a function of 
the token pairs we will request: 

F(x) = 2x + 2 A {32} / x 

f \ 

2 requests for number of requests to hit one 

2 tokens of the tokens we have obtained. 


Our goal is to minimize function F. 


F minimizes atx = 2 A {15.5} for which we 
have that F(x) =~ 185k requests. 

New process creation will incur a 10% 
overhead in default Apache installations. 



Web 

Server 









Attack Revisited, phase 2 





Attacker ■ ► 

submit t2 as target user s token 


Web 

Server 


Expected Number of requests: 2 A {16.5} :-) 






This attack shows that a general class of otherwise secure token 
generation algorithms are vulnerable due to the insecure seed of PHP. 


ex. Stoken = AES($very_random_key, mt_rand().mt_rand()). 
































• Hardening extension for PHP. 

• Replace rand() with a Mersenne Twister generator with 
different state than mt_rand(). 

• Disables srand() and mt_srand() functions. 

• Seeds the generators once at process startup with a secure seed. 

• Entropy gathered from the operating system. 




State Recovery Attacks 


All PRNGS in the PHP core are linear 



Truncation: 

• The output may be truncated to a 
smaller range. 

• This may introduce non linearity to 
the generator. 



l"T\/r1 (a Atf'l) 


WTT 


A if 1 


In order to truncate a number n from [M] = 
to a range [a,b] PHP does the following: 

, n ■ (b — a + 1) 

l = a+ —- 1 



We can view this process as one that puts M values 
into b-a+1 buckets based on their MSBs. 


Given a bucket number we can determine a range 
for the original number n 


L 


{l-a)- M 


| < n < | 


(l — a + 1) ■ M 


j-i 


b — a + 1 


b — a + 1 



Depending on the number of bits common in the 
upper and lower bound we can determine some of 
the MSBs of the original number. 



MSB(n)=0 


MSB(n)=1 


00 

0 

01 

? 

• 

10 

1 

11 

1 

1 

1 

1 

! 

1 

i f 

0 

M/4 


M/2 

3 M/4 

M 










Process identification: 

• We want to get all outputs from the same 
generator. 

• Because of the Keep-Alive limit the server 
might close the connection before the 
necessary leaks are collected. 


eaks are collected. 


Process Distinguisher 


lit we will be disconnected 
lumber of requests. 


How can we find the correct process? 


V- Need 




Due to the Keep-alive limit we will be disconnected 
from our process after a number of requests. 

• However we can try to reconnect afterwards. 


Algorithm: 

• Connect to a fresh process and obtain a session id preir 
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Need access to some process specific state 


Idea: 

Use the session id preimage as a process 
specific state to distinguish between server 
processes. 


Algorithm: 

• Connect to a fresh process and obtain a session id preimage. 

• Obtain PRNG leaks until the server closes the connection. 

• Start reconnecting to the server and requesting session 
identifiers. 

• For each session check if it is generated using the next 
round of php_combined_lcg than the one used in the 
preimage we have. 

• If a match is found then we have connected to our process. 


state recovery for randO 


;ad-Shamir Framework High level description 

es the problem of uniquely solving an * Define a lattice over the coefficients of the 


rand() implementation depends on the OS: 

> On windows a 15 bit LCG is used 

X n +1 = (aX n + c) mod m 

> On *nix systems an additive feedback generator is used: 

L n = {n -3 + rj_3i) mod 2 32 

> Truncation introduces non linearity. 






Hastad-Shamir Framework 

Solves the problem of uniquely solving an 
underdetermined system of linear modular equations 
when part of the variables is known. 


High level description 

• Define a lattice over the coefficients of the 
equations 

• Find a reduced basis of the lattice using 
the LLL algorithm. 

• Use the fact that the basis vectors are 
small to uniquely solve the system over 
the integers. 


Bottleneck point: 

• Lattice base reduction of a lattice with dimension 
equal to the number of leaks needed. 

• Public LLL algorithm implementations have 
complexity 0(d A 5). 

• A 0(d A 3 logd) variant exists, but without any 
public implementation. 


Implementation experiments 
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Summary: 

• LCGs can be efficiently recovered unless we 
have extremely large truncation levels. 

• Similar behavior is observer in the glibc 
generator however the LLL complexity did 
not allowed to recover more than 6 bits. 


State recovery for mt-randO 


Notice: 

Truncation does not introduce non linearity 
to the generator. 


• Each output bit can be express 
linear equation to the internal 

• Take each output bit obtained 
create a linear system. 

CArefpm hac a iinirmp c/\li 


Mersenne Twister: 

Based on a linear recurrence over GF(2): 

Xk+n — x k+m © i( x k A Ox80000000)|(x^+i A 0x7fffffff))A 


xA = 


(;x 1) if x 31 = 0 
(x 1) © a if x 31 = 1 


Huge state of 19937 bits, (a Mersenne Prime) 

To improve randomness properties the output of the 
recurrence is multiplied by an invertible matrix: 

z = xT 

T is called the tempering matrix. 


Notice: 

Truncation does not introduce non linearity 
to the generator. 


Each output bit can be expressed as a 
linear equation to the internal state. 

Take each output bit obtained and 
create a linear system. 

If the system has a unique solution the 
solution will give the internal state of 
the generator. 



How can we know that the System has a 
unique Solution in advance'? 


Employ an online gaussian solver: 

• As equations are obtained from the server 
add them to the system. 

• Stop when the system becomes uniquely 
solvable. 



Implementation experiments 






































Equations vs truncation. 












































































































































Time vs Truncation 











































































































































Case study 
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function phorum_gen_password(Scharpart=4, Snumpart=3) 

{ 

S vowels = ... //[char array]; 

Scons = ... //[char array]; 

Snum_vowels = count($ vowels); 

Snum_cons = count (Scons); 

Spassword=""; 

for(Si = 0; Si < Scharpart; Si++){ 

Spassword .- Scons[mt_rand(0, Snum_cons - 1)] 

. Svowels [mt_rand(0, Snum_vowels - 1) ]; 

} 

Spassword = substr($password, 0, Scharpart); 
if(Snumpart){ 

Smax=(int)str_pad("", Snumpart, ”9"); 
Smin=(int)str_pad(" 1", Snumpart, "0"); 

Snum=(string)mt_rand(Smin, Smax); 

} 

return strtolower(Spassword.Snum); 

} 



At least 4 mt_rand() outputs skipped in each call. 
• The resulting system is very dense. 



Results: 

On average: 

• 11 reconnections of the client. 

• 30 minutes to compromise the application. 


Tools of the Tbade 

• Nobody likes to write exploits in C! 

• A set of tools with a python interface in order to exploit 
randomness attacks: 

• Online Gaussian solver. 

• Lightweight rainbow tables implementation. 

• Programmable web bruteforcing tool. 

• check http://crypto.di.uoa.gr for a release. 


Randomness Attacks Mitigation 

• PHP 5.4 added extra entropy to the session identifier. 

• session.entropy_length enabled by default. 

• Suggested to add secure seeding to all PRNGs in the PHP core. 

• PHP security team: "This is an application specific problem". 

• Secure PRGs from extensions are rarely used right now. 

• A drop in replacement for any token generator can be found in 
http://crypto.di.uoa.gr 

• Checks for crypto strong PRGs in the PHP system 

• Otherwise collects entropy from various sources. 


Related Work 

Stefan Esser 

• mt_srand and not so random numbers. 
Sarny Kamkar 

• How I met your girlfriend. 

Gregor Kopf 

• Non obvious bugs by example. 


Summary 

• Randomness attacks affect a very large number of 
PHP applications. 

• Exploit mitigations are needed for these attacks. 

• Crypto bugs are becoming a trend for exploitation. 


Thank You! 


Questions? 

PRNG: Pwning PSeudoRandom number 

Generators 
(in PKP applications) 

George Argyros Aggelos Kiayias 


